Bug 1889144 - rubygem-kramdown 1.9.0-2 not compatible with Ruby 2.0.0
Summary: rubygem-kramdown 1.9.0-2 not compatible with Ruby 2.0.0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: rubygem-kramdown
Version: epel7
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Orphan Owner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-18 11:50 UTC by Thomas Bellman
Modified: 2021-02-27 22:33 UTC (History)
2 users (show)

Fixed In Version: rubygem-kramdown-1.9.0-3.el7
Clone Of:
Environment:
Last Closed: 2021-02-27 22:33:34 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1858395 0 high CLOSED CVE-2020-14001 rubygem-kramdown: processing template options inside documents allows unintended read access or embedded ... 2021-11-02 17:15:33 UTC

Description Thomas Bellman 2020-10-18 11:50:49 UTC 
Description of problem:

  The 1.9.0-2 version of the rubygem-kramdown RPM that was pushed to
  EPEL-7 yesterday (https://bugzilla.redhat.com/show_bug.cgi?id=1858415)
  is not compatible with the version of Ruby (2.0.0) in RHEL-7.
  Specifically, this line in the patch:

    define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val|

  uses a syntax (<<~) that did not exist in Ruby 2.0.0, which is the
  version shipped in RHEL-7.  (If I read it correctly, that syntax
  appeared in Ruby 2.3.0.)



Version-Release number of selected component (if applicable):

  1.9.0-2.el7



Steps to Reproduce:

  1. Install kramdown gem from EPEL:
       # yum install rubygem-kramdown-1.9.0-2.el7
  2. Try to load kramdown:
       $ irb
       irb(main):001:0> require 'kramdown'

  This causes a syntax error to be raised:

     SyntaxError: /usr/share/gems/gems/kramdown-1.9.0/lib/kramdown/options.rb:596: syntax error, unexpected <<, expecting ')'
     ...tions, Object, %w[template], <<~EOF) do |val|
     ...                               ^



Additional info:

  The quick fix is to just change "<<~" to "<<" in the patch.  Bonus
  is to also dedent the documentation text so it starts in column 0.


Workaround:

  For people who have applications failing due to the broken version
  the quick-and-dirty workaround is to edit the file
      /usr/share/gems/gems/kramdown-1.9.0/lib/kramdown/options.rb
  and change "<<~" to "<<" on line 596.
Comment 1 Mamoru TASAKA 2020-10-18 12:30:00 UTC 
Well, so I don't want to push updates for EPEL.... actually I've never maintained any packages for EPEL, but because somehow it was assigned to me, I've pushed 1.9.0-2 update.

Now I've orphaned rubygem-kramdown for EPEL. I hope that someone can take care of this package on EPEL.
Comment 2 Mamoru TASAKA 2021-02-12 07:45:58 UTC 
So as expected, no one will be going to maintain this.
For now I am going to apply the suggested fix to close this.
Comment 3 Fedora Update System 2021-02-12 07:56:48 UTC 
FEDORA-EPEL-2021-9753b59cd3 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-9753b59cd3
Comment 4 Fedora Update System 2021-02-13 01:50:00 UTC 
FEDORA-EPEL-2021-9753b59cd3 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-9753b59cd3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2021-02-27 22:33:34 UTC 
FEDORA-EPEL-2021-9753b59cd3 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.